NSA Follows You With Google’s Cookie Trail

The US National Security Agency (NSA) is using Google cookies in order to track potential targets, according to a new report published Dec. 10 in The Washington Post.

The report is based on material leaked by whistleblower Edward Snowden and explains how the NSA uses cookies for their own purposes. Cookies are widely used on the Internet today by advertisers in order to track users, in a bid to customise ads and deliver more personalized user experiences.

No one is surprised

Security experts contacted by eWEEK were not surprised by the latest NSA spying revelation.

Robert Hansen, security researcher and director of product management at WhiteHat Security told eWEEK that Google’s tracking has become so prolific and so accurate that the government can and does now leverage this information for exploitation.

“We have long advocated that Google should not be tracking users in this way for exactly these kinds of reasons; if tracking occurs, it can be leveraged by adversaries,” Hansen said. “Really, Google can’t help but break people’s privacy. It is the foundation of their $40 billion dollar a year advertising business despite the fact that we now know for certain that it can and is being leveraged by at least one set of government actors.”

Hansen added that from his perspective, this is the sort of nightmare scenario he and others in the security community have been warning about for years. If you track users at all, it will be used against them at some point.

In-browser session cookie

According to the report, the NSA is leveraging a specific type of Google cookie known as the PREF ID used to maintain Web-browser sessions and preferences. Lucas Zaichkowsky, enterprise defence architect at AccessData, explained to eWEEK that there’s a lot of information about a potential target that can be gleaned from the PREF cookie information.

“The really interesting part is they say it’s being used to enable remote exploitation,” Zaichkowsky said. “A common example of this is that some Web pages will put sensitive log-in information directly into a cookie or rely solely on the cookie to validate the user’s identity so they don’t have to log back in to a Web page.”

Zaichkowsky added that if this kind of a cookie is stolen, the NSA or whoever is doing the hacking can use your cookie to get on a Web page logged in with your identity without using a password.

Allan Foster, vice president of technology and standards with identity management software company ForgeRock, is also among those that isn’t surprised that the NSA is using cookies to track targets.

“As we have seen from the revelations from Snowden about the breadth and scope of the surveillance being performed by the NSA, it is obvious that almost all of the so called theoretical vulnerabilities we know about are being actively exploited by the eye of Sauron,” Foster said.

What should you do?

Cookies are a well-known and understood technology and there are a variety of tools and techniques that can be leveraged by enterprises and individuals that want to avoid being tracked.

Carl Livitt, managing security associate for security consulting company Bishop Fox told eWEEK that individuals can use browser plug-ins to manage cookies and place Google’s tracking cookies on a white list. He added that enterprises can use perimeter defenses to modify HTTP traffic to remove the offending cookies.

“However, that’s a very narrow tactical defense and I’m sure the NSA uses far more than just the Google cookies,” Livitt said. “The real defense is to push for a change in the law to prevent carte-blanche wiretaps of civilian communications; good luck with that.”

Earlier this week, a group of top US Internet companies, including AOL, Facebook, Google, LinkedIn, Microsoft and Yahoo, issued an open letter asking for just that—widespread reforms of government surveillance.

Tal Klein, vice president of marketing at cloud application security company Adallom told eWEEK that in general, the majority of Web users are foregoing a great deal of privacy.

“Personally identifiable information is the bitcoin of the commercial Internet, and by that I mean, it’s easier to think about it in the context of currency,” Klein said. “The amount of effort required to opt out of being part of this currency is akin to physically dropping off the grid, which as we know is harder and harder in the digital age.”

Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist

Do you know about biometric technology? Try our quiz!

Originally published on eWeek.

Sean Michael Kerner

Sean Michael Kerner is a senior editor at eWeek and contributor to TechWeek

View Comments

  • The dystopian fantasies of yesteryear are now a reality. We’ve allowed the coming of an age where the civil liberties our forefathers fought so hard for are being eroded by the day. Freedom of Press, Freedom of Speech and Freedom of Assembly are mere ghostly images of their original intent. We’ve woken up to an Orwellian Society of Fear where anyone is at the mercy of being labeled a terrorist for standing up for rights we took for granted just over a decade ago. Read about how we’re waging war against ourselves at http://dregstudiosart.blogspot.com/2011/09/living-in-society-of-fear-ten-years.html

Recent Posts

US Finalises Billions In Awards To Samsung, Texas Instruments

US finalises $4.7bn award to Samsung Electronics, $1.6bn to Texas Instruments to boost domestic chip…

5 hours ago

OpenAI Starts Testing New ‘Reasoning’ AI Model

OpenAI begins safety testing of new model o3 that uses 'reasoning' process to ensure reliability…

5 hours ago

US ‘Adding Sophgo’ To Blacklist Over Link To Huawei AI Chip

US Commerce Department reportedly adding China's Sophgo to trade blacklist after TSMC-manufactured part found in…

6 hours ago

Amazon Workers Go On Strike Across US

Amazon staff in seven cities across US go on strike after company fails to negotiate,…

6 hours ago

Senators Ask Biden To Extend TikTok Ban Deadline

Two US senators ask president Joe Biden to delay TikTok ban by 90 days after…

7 hours ago

Journalism Group Calls On Apple To Remove AI Feature

Reporters Without Borders calls on Apple to remove AI notification summaries feature after it generates…

7 hours ago